Mitigating CPU Vulnerabilities: Removing the OS Blindfold

OS Level Solutions Are Not Enough

The recent Meltdown and Spectre vulnerabilities target weaknesses of the CPU rather than the Operating System, or the applications that run on it. (See here for background on how these vulnerabilities work).

Since they do not involve the Operating System, solutions that monitor at that level, such as traditional sandboxes, will be incapable of detecting these types of attack.

A lower level framework is required in order to properly identify and mitigate these attacks.


Using The CPU Level Framework To Mitigate The Spectre and Meltdown Vulnerabilities

CPU Level framework was introduced into the family of SandBlast Advanced Threat Prevention technologies three years ago. It allows visibility into the lowest level of execution of the system, the CPU. This therefore enables it to monitor and identify execution flow and provide an evasion resistant method for detecting deviation from normal execution. In this way it can detect even the most sophisticated software exploits.

Within hours of the vulnerabilities being made public, our research team demonstrated that the same framework can be used to identify attacks attempting to utilize the Spectre / Meltdown vulnerabilities. Examining certain key low level parameters at run time shows clear distinction between normal code execution and code that tries to abuse speculative execution.

For a full details of our research findings, visit our technical blog post.


A New Wave

Starting with Rowhammer, which exploited memory components, we believe this to be the dawn of a new wave of attacks exploiting hardware vulnerabilities.

This new wave will necessitate security vendors to offer deeper level visibility and control.  Only monitoring and protection at the CPU level will be able to detect the indications involved via the large number of attempts required in the Spectre and Meltdown vulnerabilities.

There are likely to be more ways in which CPU and speculative execution can be exploited and we believe there will be more attacks that rely on this same concept. Furthermore, fixing it at its core will only be possible at a hardware level, and therefore it will take years until the most of the market will be completely protected.

To prevent attack, enterprises must implement a multi-faceted prevention strategy that combines proactive protection and state-of-the-art CPU-level exploit detection capable of exposing the most highly camouflaged threats. Users should patch their machines with the latest OS updates on both the OS level as well as any patches provided by the hardware manufacturers.

The Check Point SandBlast Zero-Day Protection solution, which includes Threat Emulation, prevents infection from new malware and targeted attacks.
Disclaimer: The above outline is a simplified version of how the Spectre and Meltdown vulnerabilities work. Please visit our technical blog post for more details.